Reflected XSS Bootcamp

Lab: Basic Filter Bypass

Difficulty: Low

Lab Overview

This lab demonstrates a reflected XSS vulnerability with a basic filter that attempts to block the word "script".

Active Filter: The application removes the string 'script' from the Last Name parameter using str_replace('script', '', $_GET['lname'])

Objective: Bypass the filter and execute a JavaScript alert.

Backend Source Code

if(isset($_GET["fname"]) && isset($_GET["lname"])){
    $re = str_replace('script', '', $_GET['lname']);
    echo $re;
}

Test Input Form

Hints & Filter Bypass Techniques

The filter only removes the exact string script - try case variations
Consider using nested tags or alternative event handlers
Try using HTML entities or encoding techniques
Experiment with different tag combinations that don't rely on the word "script"
Remember that the filter is only applied to the Last Name field

Security Note

This lab demonstrates why simple string replacement is an ineffective XSS prevention technique. Modern applications should use context-aware output encoding and proper sanitization libraries.

Real-world recommendation: Use HTMLPurifier or similar libraries that understand context and can properly neutralize XSS vectors.